If you were diligent and installed firmware updates on your Windows computers, you should install the new Microsoft updates as soon as possible. Of course doing that will leave your computer exposed to Spectre V2. There’s no solution, other than to be vigilant and extremely careful about visiting shady web sites, installing downloaded software, and clicking links in email.

I guess I’m lucky that no firmware updates are even available for my computers. If they were available and I had installed them, I might be suffering random reboots and even data loss.

Black-hat hackers who are working on malware that exploits the Spectre and Meltdown vulnerabilities are no doubt enjoying this mess, and I have no doubt that we’ll start seeing real-world examples of their handiwork before long.

It’s been about two weeks since the Spectre and Meltdown CPU flaws were revealed to the world, and we now have a better picture of the scope and impact of those flaws.

Intel CPU chips are vulnerable to both Spectre and Meltdown: almost every Intel CPU made since 1995 is affected. AMD CPUs are vulnerable to Spectre, and ARM CPUs, found in millions of mobile and IoT devices, are vulnerable to Meltdown.

Spectre variant 1 and Meltdown have been patched in Windows, macOS, iOS, Android, and Linux. So far, these updates don’t seem to have affected performance on those platforms.

Spectre variant 2 can only be fixed with a firmware update, which will be optional on most platforms, but also seems likely to result in reduced performance. Firmware updates are more difficult to install than software updates. The task should not be undertaken by casual users, since mistakes can result in ‘bricked’ (unusable) devices. One possible exception is Linux, which in some cases allows for updates to be read from a file during startup, eliminating the need for updating firmware.

Intel is making available firmware updates that will hopefully eliminate the threat on affected computers, but — as Microsoft has demonstrated — many of those computers will be slowed significantly by the updates. Intel is downplaying the performance impact, saying that many users won’t even notice the difference.

I/O bound servers could be affected greatly (Microsoft may recommend avoiding the firmware updates in this case)

Unfortunately, many PC and device makers first learned of the CPU flaws when the rest of us did: on January 3. While Intel, Microsoft, and the other major players knew about the problem months earlier, less high-profile companies are now scrambling to develop firmware updates for their devices. Most are concentrating on their most recent models, and may never release updates for older devices. For example, as of January 21, the Asus web site does not show any recent firmware updates for my Asus M70AD PC. Millions of other devices seem likely to remain permanently vulnerable to Spectre 2.

The Spectre and Meltdown flaws are very deep inside the internal hardware of almost all computers. This makes them very unusual: more difficult to fix, and potentially very dangerous. Even worse, many Internet of Things devices use affected chips; these devices are usually difficult (if not impossible) to update, and may never be fixed.

The vulnerabilities were discovered in early June 2017, and disclosed privately to CPU chip makers first, then to O/S makers, browser makers, cloud and server providers. Some arguably important groups were left out, including CERT, but despite disclosure being handled responsibly, the news leaked out ahead of schedule on January 4. A lot of work had already been done, but hardly anyone was truly ready.

Intel’s response to the flaws in their CPUs has been criticized by some, and it does seem that the chip giant is not being completely transparent. Intel continues to downplay the seriousness of the flaws, and the performance impact of firmware updates. It’s also fair to ask whether in the rush to increase processor speed, security is being neglected by Intel and the other chip makers. The Spectre and Meltdown flaws should arguably have been caught in development.

What are the actual risks involved?

A malicious process on your computer could read data from another process (such as your banking app) and send it to anyone. This kind of exploit has been demonstrated as effective, and it can even be accomplished using specially-crafted Javascript code on a web site.

A malicious process on a web-based service, server, or virtual machine could read data from another process on that machine or a virtual machine that’s controlled by someone else.

Risks going forward: this has all been rushed (despite some advance warning), and the changes are at the core of CPUs and O/S kernels. Emergency fixes have a way of causing new, hidden problems. We will probably be dealing with the fallout from these flaws for months.

Major patches are coming, for most operating systems and devices running modern (made in the last 10 years or so) processors. Changes to Windows, Linux, macOS, and most other systems will modify the way memory is used, ameliorating critical CPU security flaws, and slowing them down significantly in the process.

There’s been a lot of secrecy around this issue, with details of the flaws — discovered several months ago — only now coming to light as O/S vendors scramble to prepare patches. The flaws (commonly referred to as Spectre and Meltdown) involve potential leaking of information, as described in a recent post on The Register:

At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs.

At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel’s memory. Suffice to say, this is not great. The kernel’s memory space is hidden from user processes and programs because it may contain all sorts of secrets, such as passwords, login keys, files cached from disk, and so on.

Much of this is still speculation, but the reality may be even worse, so hang onto your socks, since this is going to get ugly. It’s easy to imagine class action lawsuits arising out of the mess.

Those of you running light operating systems on older hardware may have the last laugh: while many of the world’s computers will soon be noticeably — and unavoidably — slower, yours will keep chugging along unaffected… at least until they’re used to access any of the millions of computers that power web sites and services. Major providers may have no choice but to install the updates, significantly reducing the processing power of their systems.

For computers running Windows 10, system updates are literally unavoidable, and the slowdown inevitable. The rest of us will need to decide whether to risk leaving the vulnerabilities exposed, or patch them and deal with the resulting performance hit. Exploiting the vulnerabilities is not straightforward, and it should be possible to stay safe by avoiding risky behaviour, such as indiscriminately running unknown software, visiting dubious web sites, and opening links in email. However, the full extent of the risks involved is not yet known.

Update 2018Jan04: Corrected title and content to show that the problem affects all modern processors, not just those made by Intel, and that there are multiple vulnerabilities. Also added more related articles.

If you use Twitter, reddit, Amazon, Tumblr, Spotify or Netflix, you may have noticed that they were slower than usual for parts of yesterday. That’s because the affected sites and services use Dyn, a DNS service provider, and Dyn was hit by two huge DDoS attacks yesterday.

The attacks lasted for a few hours, and while they certainly affected a lot of people, they were no more than an inconvenience for most. Still, the surge in the number and size of these attacks is troubling.

Analysis of the attacks shows that they were made possible by the Mirai botnet, which uses a huge network of poorly-secured (and now compromised) DVRs and security cameras. Those are the same tools used in the recent krebsonsecurity.com and OVH DDoS attacks. The source code for Mirai was released to the public recently, which means just about anyone could have caused the Dyn attacks.

Chinese device maker Hangzhou Xiongmai has issued a recall for several of its webcam models that were used in the attacks. However, they are only one company out of hundreds (maybe thousands?) of companies producing poorly-secured IoT devices.

Update 2016Oct25: According to Brian Krebs, Xiongmai has also made vague legal threats against anyone issuing ‘false statements’ about the company. This is presumably part of a PR effort to improve the company’s image in the wake of the attacks, but it’s hard to see how this will help anyone. The company’s main objections apparently relate to statements by Brian Krebs and others about users’ ability to change passwords. Testing has shown that back-door, unchangeable passwords exist on some of the affected devices.

Companies like XiongMai Technologies and Dahua share the blame for flooding the Internet with these easily-co-opted devices. XiongMai Technologies created devices that are inherently insecure and unsuitable for direct connection to the Internet. Dahua either failed to comprehend the danger, or chose to ignore it, producing deeply flawed consumer devices and – as Brian Krebs puts it – dumping toxic waste onto the Internet. These devices are spread around the globe, most to be plugged in and forgotten for years, ready to be abused by whoever can find them. Some of these devices can’t actually be fixed, since their vulnerabilities exist in firmware that can’t be updated.

Dahua’s response to all this isn’t likely to reduce concerns, since it tries to shift the blame onto users who failed to change default passwords, while ignoring the fact that these passwords cannot be changed in some cases.

What can be done about this? Beyond locating and removing the current crop of vulnerable devices – a difficult task in itself – how can we avoid this situation in the future? Preventing poor quality products from entering the market is ultimately the responsibility of governments. Until authorities get involved, this is likely to keep happening. If they fail to act now, the attacks will continue to get worse until commerce is affected, at which point it will no longer be possible for governments to ignore the problem. Bruce Schneier shares this view.

The good news is that the European Union is already taking action. The EU is planning to upgrade its telecommunications laws, which are now expected to include requirements for labeling IoT devices that are secure and approved for Internet connection. This kind of labeling already works well for showing the energy usage of electrical appliances.

Kudos to the European Commission for recognizing that the ongoing flood of crappy IoT devices is a major contributor to Internet-related problems, including the recent, massive DDoS attacks. Let’s hope that other governing bodies wake up soon.

It’s standard practice to tell users to lock their computers when they walk away from their desks. A locked computer presents an obstacle to anyone with physical access who’s interested in poking around or stealing data. But in reality, once someone has physical access to a computer, there are ways to gain full access, even when that computer is locked. Now there’s a new technique that simplifies this task. A specially set up thumb drive is inserted in the target computer (Mac or PC), and 20 seconds later, the intruder has valid login credentials in their hands.

Two Factor Authentication (2FA or MFA) is an increasingly-common way to bolster your security when using Internet-based services and web sites. It adds a second step to the login process, which usually involves entering a special code. Many sites and services that offer 2FA send codes to your registered cell phone via SMS text messages. Unfortunately, that specific method (codes via SMS) can be co-opted by attackers who already have your password (which is increasingly likely with all the recent breaches). If you’re using SMS text for 2FA, you should look into more secure methods. Google Authenticator generates temporary, time-limited codes using an app on your smartphone. Duo Security has an app that receives special ‘push’ messages from the site you’re trying to access, and all you have to do is click a button on your cell phone to get in.

Bruce Schneier wants everyone to stop blaming the user for security problems and create systems that are more inherently secure. As things are today, the user gets most of the blame when something goes wrong. Clearly, using weak passwords, re-using passwords, and generally being vulnerable to phishing and other manipulation point to the user as the weak link. But Schneier thinks pointing at the user isn’t helpful, especially when that link is unlikely to ever change. Instead, he wants to limit the involvement of the user; to create fewer security pitfalls. He points to current efforts along those lines, including automatic security updates, and virtualization. Which are both great ideas, as long as us techie folks have a way to bypass those things.

Analysis by security experts has now confirmed that these attacks used a huge network of compromised devices, mostly security cameras and Digital Video Recorders (DVRs). These devices are typically vulnerable out of the box, and unless they are configured properly, they remain vulnerable. Most of the devices in question run a version of BusyBox Linux.

Adding to this nightmare is the news that the source code for Mirai, the botnet used for the recent, massive attacks, has been released to the public. We can (and should) expect more attacks in the coming weeks and months.

What can be done to stop this? The best solution would be to complete the work of identifying vulnerable hardware (make and model), and contact the owners of all affected devices with instructions for securing those devices. In practical terms, the first part is relatively straightforward work. The second part is problematic. Who is responsible if a device is being co-opted in DDoS attacks? The user? The service provider? The manufacturer? Many owners of these devices have no idea they are being used like this.

Eventually, the current crop of IoT devices being used in these attacks will be secured. But more new ‘smart’ devices are being manufactured and connected to the Internet every day. Until manufacturers stop shipping unsecure-by-default devices, we’re going to keep seeing these huge attacks.

After providing some background on the current privacy situation, and how we got here, Doctorow speculates on what will happen when even the absurd notice-and-consent terms of use agreements that we see (and blindly agree to) every day are gone, leaving us surrounded with devices that invade our privacy without any pretense at consent, all in the name of commerce.

In case you hadn’t guessed, we are talking about the Internet of Things. Despite plenty of warnings from privacy advocates, and numerous real-world examples of the consequences to privacy of poorly-designed devices, the current move toward ‘smart’, connected devices continues apace. And these devices won’t ask for your consent, they’ll just compromise your privacy by default.

Meanwhile, Doctorow wonders whether and when this will come to a head with some kind of legal challenge. There have been attempts to challenge the validity of terms of use agreements that nobody ever reads, but so far the results are not promising.

I’d like to see Microsoft singled out for its current Windows strategy, which includes gathering and transmitting user information, ostensibly for the purpose of providing better support, but which can also be used to better target advertising, another feature of newer versions of Windows. To be sure, these features are currently protected behind terms of use agreements, but even those could disappear in a world dominated by smart devices.

In their most recent report, Backblaze’s data includes 8 terabyte drives for the first time. Failure rates for the 8 TB drives is slightly higher than smaller drives, but this may be due to the fact that all of the 8 TB drives are new, and new drives tend to fail more often than drives that have been running for a while.

As usual, HGST (Hitachi) drives top the reliability charts, but Seagate is now close behind. Western Digital failure rates are the worst of all the drives analyzed.

The researchers developed a specific attack called Keysniffer, and used it to both read user keystrokes and inject their own keystrokes remotely, from as far away as 250 feet. The attack is possible because the affected keyboards don’t encrypt communications with the host computer.

jrivett’s Tweets

New white paper confirms that compromising encryption (to make law enforcement a bit easier) is a very bad idea. AG and FBI officials are really just advertising their own weakness when they complain about this. techdirt.com/article…

Describing his hobby as 'fun' and saying “I never intended for anyone to get shot and killed”, this serial Swatter will hopefully get 10+ years behind bars for his role in a Kansas death-by-SWAT. krebsonsecurity.com/…